This repository features scripts written in the Cypher query language that can be used to import control catalogs and other data represented in the OSCAL format into a Neo4J graph database.
You will need the APOC library to scrape them directly from Github into the database. There is no need to download the files first.
For further background information on these scripts you may want to watch this presentation:
The slides from this presentation are available here
In the data directory you will find a set of Neo4J cypher commands. They will scrape the OSCAL representation of the NIST 800-53 catalog layer directly from Github into the Neo4J database.
There are also scripts to scrape the FedRAMP and NIST profiles (LOW, MEDIUM, HIGH and PRIVACY profiles). These will be linked to the catalog layer nodes so make sure to import these first.
A withdrawn control (the loop on sc-12 was confirmed by @usnistgov to probably be an error in the FISMA source):
A query shows the assessment-objective as well as assessment-methods (i.e. "examine", "test", "interview) for the control AC-2.1.
Also included are the assessment-objects which should be examined as well as the required interview-partners:
Opposite view: listing all controls that can be interviewed with one distinct set of interview-partners over all control families:
These scripts will scrape the FedRAMP profiles (LOW, MEDIUM, HIGH) form the Github repository directly into Neo4J. They will be linked to the previously imported 800-53 controls and control enhancements so make sure that you have imported them first.
Here a time range parameter of control enhancement AV-2.2 is constrained to a value of "24 hours from last use".
This applies to the second parameter of this statement: "Automatically {{ remove / disable }} temporary and emergency accounts after {{ organization-defined time period for each type of account }}.
Here: additional requirements and guidance are added to control RA-5.6:
The FedRAMP 'HIGH' profile puts more strict constraints on control parameters than the FedRAMP 'MODERATE' profile:
There are other publicly available Neo4J databases that can be included as well, such as the graph from the SCKG project.
Combining such sources with the OSCAL imports can enable additional use cases such as compliance mappings between different standards. For instance, assessment results from an OSCAL model can be used to deduce compliance with certain topics from the perspective of a PCI DSS assessor.
SCKG doesn't model all of the standards in the greatest depth (i.e. control enhancements, properties, parts won't be differentiated for 800-53) but it makes up for that by including a lot of standards.
Compliance Mapping: a connection from PCI DSS to ISO/IEC 27001:2013 was found by the "shortestPath" algorithm using a NIST CSF control as an intermediary
This is accomplished by using the SCKG graph.
We can deduce that there is an analogy between the ISO 27001 control A.14.2.8 ("System Security Testing") and the PCI DSS controls 11.4 ("Use intrusion detection and prevention") and 11.5 ("Deploy a change detection mechanism"):
SCKG: A shortest-path connection between Cobit 5 APO-012.02 ("Analyse risk") and NIST 800-53rev4 PM-16 ("Threat awareness program") , again using a NIST CSF control as an intermediary
The complete database schema currently looks as follows (this includes nodes from SCKG, see above):
This project is not endorsed by or affiliated with NIST.gov. For official publications please go to https://github.com/usnistgov.
This project is copyrighted under a CC BY-NC 4.0 license.
"Open source work by the U.S. government that is in the public domain contributed under the National Institute of Standards and Technology License. Open source work contributed by members of the public based on the CC0 1.0 Universal license."
"As a work of the United States government, this project is in the public domain within the United States under the National Institute of Standards and Technology License. Additionally, we waive copyright and related rights in the work worldwide through the CC0 1.0 Universal public domain dedication."